Transcription

1 GAO United States Government Accountability Office Report to Congressional Requesters March 2013 INFORMATION SHARING Additional Actions Could Help Ensure That Efforts to Share Terrorism-Related Suspicious Activity Reports Are Effective This report was revised on March 26, 2013, to correct dates on pages 19 and 51 and correct an error on page 53. GAO

2 Highlights of GAO , a report to congressional requesters March 2013 INFORMATION SHARING Additional Actions Could Help Ensure That Efforts to Share Terrorism-Related Suspicious Activity Reports Are Effective Why GAO Did This Study In 2007, DOJ and its federal partners developed the Nationwide Suspicious Activity Reporting Initiative to establish a capability to gather and share terrorism-related suspicious activity reports. GAO was asked to examine the initiative s progress and performance. This report addresses the extent to which (1) federal agencies have made progress in implementing the initiative, and what challenges, if any, remain; (2) the technical means used to collect and share reports overlap or duplicate each other; (3) training has met objectives and been completed; and (4) federal agencies are assessing the initiative s performance and results. GAO analyzed relevant documents and interviewed federal officials responsible for implementing the initiative and stakeholders from seven states (chosen based on their geographic location and other factors). The interviews are not generalizable but provided insight on progress and challenges. What GAO Recommends GAO recommends that DOJ implement formalized mechanisms to provide stakeholders feedback on the suspicious activity reports they submit, mitigate risks from supporting two systems to collect and share reports that may result in the FBI not receiving needed information, more fully assess if training for line officers meets their needs, and establish plans and time frames for implementing measures that assess the homeland security results the initiative has achieved. DOJ agreed with these recommendations and identified actions taken or planned to implement them. View GAO For more information, contact Eileen R. Larence at (202) or What GAO Found The Department of Justice (DOJ) has largely implemented the Nationwide Suspicious Activity Reporting Initiative among fusion centers entities that serve as the focal point within a state for sharing and analyzing suspicious activity reports and other threat information. The state and local law enforcement officials GAO interviewed generally said the initiative s processes worked well, but that they could benefit from additional feedback from the Federal Bureau of Investigation (FBI) on how the reports they submit are used. The FBI has a feedback mechanism, but not all stakeholders were aware of it. Implementing formalized feedback mechanisms as part of the initiative could help stakeholders conduct accurate analyses of terrorism-related information, among other things. The technical means that federal, state, and local entities use to collect and share terrorism-related suspicious activity reports Shared Spaces servers that DOJ provides to most fusion centers and the FBI s eguardian system provide many overlapping or duplicative services. For example, both systems provide a national network for sharing the reports and tools to analyze them. The federal government is aware that duplication exists but supports both systems to enable fusion centers to control information on individuals, consistent with the centers privacy requirements, and facilitate the FBI s investigative needs. However, the FBI was concerned that supporting two systems introduces risks that it will not receive all reports. For example, at the time of our review, many fusion centers were choosing not to automatically share all of their reports with the FBI s system although they may have shared reports via phone or other means and DOJ had not fully diagnosed why. In its March 2013 letter commenting on a draft of this report, DOJ stated that it had made progress on this issue. DOJ also had not formally tested the exchange of information between the two systems to ensure that the exchanges were complete. Taking additional steps to mitigate the risks that reports are not fully shared could help DOJ ensure that the FBI receives all information that can support investigations. Stakeholders GAO interviewed generally reported that training fully or partially met objectives, such as making law enforcement more aware of the initiative. DOJ has mechanisms to assess the analyst training to help ensure that analysts have the information they need to review and share reports. However, DOJ had not fully assessed its training provided to officers on the front line, which could help ensure that officers receive sufficient information to be able to recognize terrorism-related suspicious activity. DOJ has provided training to executives at 77 of 78 fusion centers, about 2,000 fusion center analysts, and about 290,000 of the 800,000 line officers. DOJ is behind schedule in training the line officers but is taking actions to provide training to officers who have not yet received it. DOJ and other agencies collect some data to assess the performance of the Nationwide Suspicious Activity Reporting Initiative such as the number of reports submitted and resulting FBI investigations. These data show that stakeholders were increasingly submitting and using terrorism-related reports. However, DOJ had not yet established plans and time frames for implementing measures that assess the homeland security results achieved by the initiative and thus lacked a means for establishing accountability for implementing them. United States Government Accountability Office

3 Contents Letter 1 Background 4 Almost All Fusion Centers and 53 Federal Agencies Are Participating in the NSI, but Feedback on the Use of SARs Could Be Enhanced 10 Maintaining Two Systems That Duplicate the Function of Sharing ISE-SARs Introduces Risks That Have Not Been Fully Addressed 17 Selected Stakeholders Reported Training to Date Generally Met Objectives, but Some Training Is behind Schedule and Has Not Been Fully Assessed 29 ISE-SARs Are Increasingly Being Used to Support Investigations and Analysis, but the PMO Is Not Measuring the Homeland Security Results Achieved 33 Conclusions 38 Recommendations for Executive Action 39 Agency Comments and Our Evaluation 40 Appendix I Scope and Methodology 44 Appendix II Functional Standard Terrorism-Related SAR Criteria Guidance 47 Appendix III Federal Agencies Participating in the NSI 49 Appendix IV Similar and Unique Services Provided by Shared Spaces and eguardian 51 Appendix V SAR Retention Policies in the FBI s eguardian and Guardian Systems 53 Page i

5 Figure 4: Terrorism-Related Suspicious Activity Reports and Resulting FBI Investigations 34 Abbreviations ACS DHS DOD DOJ FBI I&A ISA IPC ISE IT JTTF NARA NSI PMO PM-ISE SAR Automated Case Support Department of Homeland Security Department of Defense Department of Justice Federal Bureau of Investigation Office of Intelligence and Analysis Information Sharing and Access Interagency Policy Committee Information Sharing Environment information technology Joint Terrorism Task Force National Archives Records Administration Nationwide Suspicious Activity Reporting Initiative NSI Program Management Office Program Manager for the Information Sharing Environment Suspicious Activity Report This is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Page iii

6 United States Government Accountability Office Washington, DC March 13, 2013 Congressional Requesters The attempted car bombing of Times Square in May 2010 was a planned terrorist attack that was foiled when street vendors alerted a New York Police Department officer after they spotted smoke coming from a vehicle. Two days later, federal agents arrested a 30-year-old Pakistanborn resident of Connecticut who subsequently pleaded guilty for attempting to carry out the attack. Every day, in the course of their duties, law enforcement officers at all levels of government federal, state, local, and tribal observe suspicious behaviors and receive information from concerned citizens, private security, and other government agencies, that could help detect, prevent, or deter a terrorist attack. Consistent with provisions of law and executive branch policy addressing the need for information systems wherein state, local, and tribal law enforcement agencies could contribute potentially terrorism-related information, the federal government developed the Nationwide Suspicious Activity Reporting Initiative (NSI) in The NSI establishes a nationwide capability to gather and share Suspicious Activity Reports (SAR) that have a potential nexus to terrorism. 2 These reports facilitate the identification and mitigation of potential terrorist threats as well as analysis to determine whether there are emerging patterns or trends suggesting such threats. In March 2010, the Department of Justice (DOJ) established the NSI Program Management Office (PMO) to support nationwide implementation of standardized processes for sharing terrorism-related SARs among federal, state, and local law enforcement agencies. To support NSI implementation, the PMO has facilitated the rollout of information-sharing technology and developed a training 1 See, e.g., 6 U.S.C. 485 (directing the President to create an information-sharing environment that, among other things, provides or supports a decentralized, distributed, and coordinated environment for sharing terrorism-related information), and Executive Office of the President, National Strategy for Information Sharing: Successes and Challenges in Improving Terrorism-Related Information Sharing (Washington D.C.: October 2007). 2 In general, a SAR is official documentation of observed behavior reasonably indicative of preoperational planning related to terrorism or other criminal activity. The NSI facilitates the sharing of terrorism-related SARs. Page 1

7 strategy designed to enhance law enforcement professionals ability to identify, report, evaluate, and share terrorism-related SARs. We have designated the sharing of terrorism-related information as high risk because of the significant challenges the federal government faces in sharing this information in a timely, accurate, and useful manner. 3 The NSI is a key government program intended to address such challenges. You requested that we assess the NSI s progress and performance. In response to your request, this report addresses the extent to which DOJ and other federal entities have made progress in implementing the NSI, and what challenges remain, if any; the technical means that NSI stakeholders use to collect and share SARs overlap or duplicate each other and any risks this overlap or duplication may introduce; NSI training has met objectives, the PMO has assessed the training, and the training has been completed; and the PMO has assessed how well the NSI is working and the homeland security results it has achieved. To address these objectives, we analyzed NSI programmatic documents, such as the NSI concept of operations and annual reports, and analyzed DOJ data including data on NSI implementation, training, costs, and results from the inception of the PMO in fiscal year 2010 through fiscal year We also interviewed officials from the Program Manager for the Information Sharing Environment (PM-ISE), DOJ, and the Department of Homeland Security (DHS) who are responsible for overseeing NSI efforts. 4 We obtained information from DOJ officials who manage the data about the steps taken to ensure their accuracy, and found the data to be sufficiently reliable for the purposes of this report. 3 Terrorism-related information sharing remained a high-risk area for our February 2013 update. See GAO, High-Risk Series: An Update, GAO (Washington, D.C.: Feb. 14, 2013) for the most recent update. 4 The PM-ISE plans for, oversees implementation of, and manages the government-wide Information Sharing Environment (ISE) an approach for sharing terrorism-related information that may include any method deemed necessary and appropriate. See 6 U.S.C. 485(a)(3), (f). Page 2

8 In addition, to address the first three objectives, we interviewed nonprobability samples of officials from entities participating in the NSI, including officials from seven state or major urban area fusion centers entities that serve as the focal point within a state for sharing and analyzing threat information. 5 We selected these centers based on their size, geographic location, and level of participation in the NSI, among other factors. At each center, we interviewed executives and analysts to obtain perspectives on NSI processes and related training they received. We also interviewed officials from each center who were familiar with their entities systems for documenting and sharing terrorism-related SARs. Further, we interviewed Federal Bureau of Investigation (FBI) officials from field offices in proximity to the fusion centers we contacted who are responsible for investigating and analyzing SARs, as well as officials from five local law enforcement agencies in these locations who had taken NSI training. To obtain perspectives from participating federal agencies, we interviewed officials from the Federal Protective Service and the Bureau of Alcohol, Tobacco, Firearms and Explosives, which we selected based upon these agencies having a large number of officers who have received NSI training. Although the views of the individuals in our samples provide valuable insight into the implementation of the NSI, they are not generalizable to all federal, state, and local entities participating in the NSI. We took additional steps to address the second, third, and fourth objectives regarding NSI technology, training, and results, respectively. To address the second objective, we analyzed DOJ documentation regarding the two primary systems that stakeholders use to collect, share, and analyze SARs the PMO s Shared Spaces and the FBI s eguardian system such as user manuals and implementation guides. We compared the services of each system to determine the extent to which they overlap or were duplicative and assessed the extent to which DOJ followed best practices for ensuring that the systems effectively exchange 6 information. To address the third objective, we analyzed PMO documentation regarding training objectives, targets, and recipient 5 Unlike a random sample, a nonprobability sample is more deliberatively chosen, meaning that some elements of the population being studied have either no chance or an unknown chance of being selected as part of the sample. Appendix I contains more information on the rationales we used to choose our samples. 6 Best practices are included in DOJ, The Department of Justice Systems Development Life Cycle Guidance Document (Washington D.C.: January 2003). Page 3

9 feedback mechanisms using leading practices for training programs. 7 To address the fourth objective, we assessed the PMO s plans for measuring the results the NSI has achieved using best practices for program management. 8 Appendix I contains more details about our scope and methodology. We conducted this performance audit from February 2012 to March 2013 in accordance with generally accepted government auditing standards. Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objectives. We believe that the evidence we obtained provides a reasonable basis for our findings and conclusions based on our audit objectives. Background NSI Partners The NSI is a federal initiative that involves a collaborative effort of a number of federal, state, local, and private sector partners. Their roles are described in table 1. Table 1: Nationwide Suspicious Activity Reporting Initiative Partners Partner Program Manager for the Information Sharing Environment (PM-ISE) Role Plan for, oversee implementation of, and manage the Information Sharing Environment (ISE) an approach for sharing terrorism-related information that may include any method deemed necessary and appropriate a in accordance with the Intelligence Reform and Terrorism Prevention Act of 2004, as amended. Developed Suspicious Activity Report (SAR) processes that eventually became the Nationwide Suspicious Activity Reporting Initiative (NSI), spending approximately $8 million on SAR-related activities from fiscal years 2006 through Transferred management of the NSI to the Department of Justice (DOJ) after the administration designated DOJ as the executive agent for the program in December Issues government-wide guidelines and standards for the management and operations of the NSI, and the ISE more generally. 7 See, for example, GAO, Human Capital: A Guide for Assessing Strategic Training and Development Efforts in the Federal Government, GAO G (Washington D.C.: March 2004). 8 The Project Management Institute, The Standard for Program Management (Newton Square, PA: 2006). Page 4

10 Partner Program Management Office (PMO) Federal Bureau of Investigation (FBI) Department of Homeland Security (DHS) Information Sharing and Access Interagency Policy Committee Role Established within DOJ s Bureau of Justice Assistance in March Responsible for implementing the NSI and assisting agencies with adopting compatible processes, policies, and standards that foster the sharing of SARs while ensuring that privacy, civil rights, and civil liberties are protected. Developed training programs on identifying, reporting, evaluating, and sharing SARs to help prevent acts of terrorism. Expended approximately $5.5 million in fiscal year 2010 and $4.1 million over fiscal years 2011 and 2012 to help implement the NSI. b Plans to spend up to an estimated $6.5 million in fiscal year 2013 to support NSI training and technology maintenance costs and enhancement, contingent upon available appropriations. Has jurisdiction over terrorism-related investigations and is responsible for investigating all terrorism-related SARs. Established Joint Terrorism Task Forces (JTTF) to investigate terrorism-related activity in 103 cities nationwide, which include members from state and local law enforcement agencies as well as officials from other federal agencies, such as DHS and the Department of Defense (DOD). Leads efforts to implement the NSI among federal entities. Provides one of the technology platforms for the NSI (eguardian), which is linked to the FBI s classified Guardian incident management system. The Office of Intelligence and Analysis (I&A) is DHS s lead component with responsibilities for sharing terrorism-related information with all levels of government and the private sector. I&A is responsible for implementing ISE initiatives at DHS, including the NSI, and coordinating DHS policy, training, and technical solutions related to the NSI. I&A develops and distributes intelligence reports that are based in whole or in part on analysis of terrorismrelated SARs shared through the NSI and provides training to fusion center personnel on SAR analysis methods and tools. DHS s Privacy Office and Office for Civil Rights and Civil Liberties also participate in NSI training. DHS s Office of Infrastructure Protection and I&A work together to implement the NSI among owners and operators of critical infrastructure assets and systems vital to the economy or health of the nation such c as oil refineries, dams, and telecommunications. Established in July 2009 within the Executive Office of the President to indentify information-sharing priorities, among other things. Includes representation of participating ISE agencies such as DOJ, DHS, and DOD and provides oversight and guidance to the ISE. Has a SAR Subcommittee that focuses on future high-level policies for federal SAR information sharing. Fusion centers Focal points within states and localities for the receipt, analysis, gathering, and sharing of terrorism and other threat-related information, including SARs. Generally owned and operated by state and local entities with support from federal agencies that collectively provide resources, expertise, and information to detect, prevent, and respond to criminal and terrorist activity. Review SARs contributed by state and local entities within their jurisdictions such as law enforcement agencies to determine whether they are terrorism-related and should be shared through the NSI. Analyze SARs and develop relevant products to disseminate to other NSI stakeholders to help identify and address immediate and emerging threats. Page 5

11 Partner State, local, and tribal law enforcement and hometown security partners Role State, local, and tribal law enforcement agencies gather information regarding behaviors and incidents that may have a nexus to terrorism. The NSI creates a standardized process for collecting and sharing this information. Hometown security partners such as critical infrastructure owners and operators, firefighters, emergency medical service providers, and private sector security professionals also have routine duties that position them to observe and report suspicious behaviors. Source: GAO analysis of PM-ISE, DOJ, and DHS documents and interviews. a See Pub. L. No , 1016, 118 Stat. 3638, (2004) (codified as amended at 6 U.S.C. 485). b Funding amounts do not include federal staff that support the PMO, which are provided by DOJ s Bureau of Justice Assistance, the FBI, DHS, and the PM-ISE. Staffing levels ranged from a total of 6.5 full-time equivalents in fiscal year 2010 to 4.75 full-time equivalents in fiscal year The $4.1 million expended in fiscal years 2011 and 2012 was from amounts appropriated in c Consistent with Homeland Security Presidential Directive/HSPD-7 (Dec. 17, 2003), DHS has identified 18 critical infrastructure sectors: Food and Agriculture; Banking and Finance; Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Government Facilities; Healthcare and Public Heath; Information Technology; National Monuments and Icons; Nuclear Reactors, Materials and Waste; Postal and Shipping; Transportation Systems; and Water. Presidential Policy Directive/PPD-21, issued February 12, 2013, revoked HSPD-7 and realigns the 18 sectors into 16 critical infrastructure sectors but also provides that plans developed pursuant to HSPD-7 shall remain in effect until specifically revoked or superseded. Nationwide SAR Process The NSI builds upon established, but largely ad hoc, processes that law enforcement agencies have used for years to collect information on suspicious activities. In 2008, the PM-ISE in coordination with the Executive Office of the President and state, local, and tribal partners established a Functional Standard that defines processes for collecting and sharing SARs that have a potential nexus to terrorism. Among other things, the Functional Standard includes a set of behavior-based criteria for analysts to use to help them determine if a SAR has a potential nexus to terrorism such as a breach or attempted intrusion, expressed or implied threat, or cyber attack and should be shared with other NSI participants. 9 SARs that are determined to have a potential nexus to terrorism pursuant to the Functional Standard are known as ISE-SARs PM-ISE, ISE Functional Standard: Suspicious Activity Reporting, Version 1.5, ISE-FS- 200 (Washington D.C.: May 21, 2009). Appendix II contains additional information on the Functional Standard. 10 According to FBI officials, the FBI uses the criteria in the eguardian Privacy Impact Assessment (dated November 25, 2008) and the FBI s Domestic Investigations and Operations Guide to determine if SARs have a potential nexus to terrorism. The officials said that these criteria are generally consistent with the Functional Standard and the FBI and PMO are taking steps to further harmonize the criteria. Page 6

12 The PMO, FBI, and other entities further clarified the business processes associated with sharing ISE-SARs in an April 2012 two-page bulletin. Figure 1 outlines the process for collecting, disseminating, and utilizing SARs. Figure 1: Nationwide Process for Collecting, Disseminating, and Utilizing Terrorism-related Suspicious Activity Reports a According to FBI officials, the FBI uses the criteria in the eguardian Privacy Impact Assessment (dated November 25, 2008) and the FBI s Domestic Investigations and Operations Guide to determine if SARs have a potential nexus to terrorism. The officials said that these criteria are generally consistent with the Functional Standard and the FBI and PMO are taking steps to further harmonize the criteria. Page 7

13 Systems Used to Share ISE-SARs The NSI leverages technologies the ISE Shared Spaces and the FBI s eguardian system to facilitate the collection, dissemination, and utilization of ISE-SARs. Previously, federal, state, local, and tribal law enforcement entities generally stored SARs at the local agency level and used nonstandard methods such as telephone, fax, or to share SARs with the FBI. Law enforcement entities may continue to use these methods for submitting SARs to the FBI, but the development of Shared Spaces and eguardian allows for electronic submission, sharing, and access to ISE-SARs for analysis nationwide. Shared Spaces and eguardian were created during the same time frame (2007 to 2009), and both systems were first implemented in The PMO has provided Shared Spaces servers to most fusion centers across the country. These servers allow centers to store ISE-SARs locally and retain ownership and exclusive control over modifying and deleting them, consistent with state laws and regulations and fusion center policies designed to protect privacy. 11 ISE-SARs that are modified or deleted in a fusion center s information system are subsequently modified or deleted in its Shared Spaces server through a regularly scheduled update process. A search tool called the NSI Federated Search allows fusion centers to use a single query to view ISE-SARs located on Shared Spaces servers across the country. The FBI s eguardian system is an unclassified part of the FBI s secretlevel counterterrorism incident management system (Guardian) that is used to support the FBI s investigative needs. eguardian was created to bridge the gap between the classified Guardian system and the sensitive but unclassified law enforcement environment. eguardian s Privacy Impact Assessment notes that all SARs submitted to eguardian remain the property and under the control of the submitting agency. All ISE-SARs 12 that fusion centers submit to eguardian are forwarded to Guardian. The 11 PMO officials noted that Shared Spaces could also be used to share other types of criminal information, such as gang-related data. The PM-ISE has recommended that DOJ examine the potential for using Shared Spaces to share critical information on other priority threats and crimes. The PM-ISE noted that, as of December 2012, DOJ had not yet submitted an implementation plan for such an approach. 12 When law enforcement agencies submit SARs through eguardian, personnel at the area fusion center or the FBI s efusion center vet the SAR against the Functional Standard or an equivalent standard before the SAR is disseminated within eguardian for broader viewing. Page 8

14 FBI may also send unclassified information from Guardian to eguardian. eguardian has a search tool that allows users to view eguardian ISE- SARs submitted by users nationwide. To make ISE-SARs in eguardian searchable and viewable to Federated Search users, the FBI maintains an eguardian Shared Spaces server and forwards all eguardian ISE- SARs to this server. 13 Privacy and Civil Liberties Federal, state, and local agencies have taken steps to help address the protection of privacy, civil rights, and civil liberties during the nationwide SAR process. For example, the NSI definition of a SAR was developed with input from several privacy, civil rights, and civil liberties advocacy groups. In addition, the Functional Standard uses behavior-based criteria for determining whether an activity has a potential nexus to terrorism such as attempting to enter a restricted area or protected site and notes that SARs should not be based solely on First Amendment-protected activities or factors, such as race, ethnicity, or religion. The Functional Standard also defines personal information as any information that may be used to identify individuals, such as an address, Social Security number, or license plate, and identifies which data elements within SARs may contain such personal information. The Functional Standard further recognizes that laws that prohibit or otherwise limit the sharing of personal information vary considerably among federal, state, local, and tribal levels. To facilitate lawful information sharing, the technical means for sharing information nationwide Shared Spaces and eguardian both have capabilities that enable agencies to safeguard personal information. Furthermore, the NSI developed a Privacy Framework that fusion centers and federal agencies who share ISE-SARs through the NSI must adopt prior to participating. Specifically, the framework requires that participating entities (1) have an approved privacy policy in place that meets minimum requirements, such as ensuring data quality and security, prior to sharing ISE-SARs through the NSI; (2) use the Functional Standard to vet and determine if SARs have a potential nexus to terrorism; and (3) incorporate the delivery of privacy training. 13 Additional information on which entities use Shared Spaces servers and which use eguardian is discussed later in this report. Page 9

15 DHS has also supported fusion centers in their self-initiated efforts to perform peer-to-peer audits to help ensure their continued adherence to SAR privacy protections, among other things. According to DHS officials, as of December 2012, fusion centers had completed 20 peer-to-peer privacy audits. The officials noted that some centers choose to conduct their own internal reviews or they are conducted by their parent agencies. In fiscal year 2013, the PMO plans to introduce a self-audit process for fusion centers to review their submission of ISE-SARs to ensure they adhere to the Functional Standard. Almost All Fusion Centers and 53 Federal Agencies Are Participating in the NSI, but Feedback on the Use of SARs Could Be Enhanced NSI Stakeholders Have Established the Capability to Share ISE-SARs at 74 of 78 Fusion Centers and 53 Federal Agencies Most fusion centers and federal law enforcement agencies can now share ISE-SARs through the NSI. Participants we interviewed generally said that the NSI process is working well, but some state and local officials said that additional feedback on how the SARs are used could help them better contribute to the NSI. FBI officials we interviewed were concerned that fusion center processes for reviewing SARs may prevent them from receiving all SARs in a timely manner. The PMO and FBI are taking steps to revise NSI guidance to address the FBI s concerns. The PMO has largely implemented the NSI at fusion centers, which in turn allows all law enforcement agencies within the fusion centers jurisdictions to begin providing ISE-SARs as part of the NSI. The PMO and DHS have also begun training other homeland security partners such as critical infrastructure owners and operators and emergency medical technicians to identify and report terrorism-related SARs to the NSI. FBI officials said they have reached out to all federal departments and are implementing the NSI at agencies that have law enforcement or military force protection personnel that would be in a position to observe suspicious activity. 14 The officials said they are determining if there are any additional agencies that should participate. Table 2 contains additional information on NSI implementation. 14 The federal agencies participating in the NSI include independent federal agencies and government corporations. Page 10

16 Table 2: Nationwide Suspicious Activity Reporting Initiative Implementation Entity type Participation requirements Participation status Fusion centers State, local, and tribal law enforcement Hometown security partners Technical requirements for sharing and analyzing Suspicious Activity Reports (SAR): obtain access to eguardian (obtaining a Shared Spaces server is optional); and obtain access to the NSI Federated Search tool. Policy requirements to protect privacy, civil rights, and civil liberties: enter into a participation agreement with the Nationwide Suspicious Activity Reporting Initiative (NSI) Program Management Office (PMO); have at least one analyst trained to vet against the Functional Standard, enter into eguardian or Shared Spaces, and analyze SARs; have an approved privacy policy in place; and have an approved site plan that describes the center s procedures and technology for implementing the SAR process. No requirements are set for state, local, and tribal law enforcement agencies to participate in the NSI. No specific requirements are set for hometown security partners to be able to report SARs. The PMO and DHS are working with key critical infrastructure and public safety associations to launch an outreach campaign to help provide training to hometown security partners. According to PMO officials, as of February 2013, 74 of 78 fusion centers had established the capability to share SARs: 72 of 78 fusion centers had implemented all technical and policy requirements (54 fusion centers also had a Shared Spaces server); 2 fusion centers had implemented the technical requirements required to share SARs but had not completed the policy requirements; 2 fusion centers intended to participate in the NSI but had not yet completed the technical or policy requirements; and 2 fusion centers had opted to not participate in a the NSI; According to PMO data, as of November 2012, more than 14,200 local law enforcement agencies in 46 states; Washington, D.C.; and 2 U.S. territories had the capability to share ISE-SARs through the 74 fusion centers where the NSI is being implemented. As of February 2013, more than 52,800 hometown security partners had received training. As of May 2012, 6 of 18 DHS-recognized critical infrastructure sectors were able to submit SAR data through DHS s Homeland Security Information Network, a secure webbased portal for information sharing. PMO officials said they plan to introduce maritime sector focused SAR training in fiscal year Page 11

17 Entity type Participation requirements Participation status Federal agencies Technical and policy requirements to participate in the According to the FBI, as of November 2012: NSI: 27 federal agencies and the Department of obtain access to eguardian, Defense had met all technical and policy receive an executive-level briefing, requirements; and enter into a participation agreement with the PMO to document participation in the NSI, establish a SAR protocol that describes the process for reviewing and submitting SARs, adhere to a privacy policy, and complete training for frontline officers and analysts. Federal agencies have the option of obtaining a Shared Spaces server. Source: GAO analysis of DOJ documents and interviews with DOJ officials. 26 federal agencies had met all requirements b except for completing analyst training. DHS and the Department of Transportation had decided to obtain Shared Spaces servers. All other federal agencies are using eguardian as their means of sharing SARs. a PMO officials said these fusion centers opted not to participate in the NSI and therefore do not enter SARs into Shared Spaces or eguardian because of state legal restrictions on sharing SARs in this manner. b Appendix III provides a list of the 53 federal agencies participating in the NSI. Selected State and Local Participants Reported the SAR Process Generally Worked Well, but More Feedback on the Use of SARs Could Help them Improve Reporting Officials from 6 of the 7 fusion centers and 4 of the 5 local law enforcement agencies we interviewed said that the NSI process for vetting and submitting potentially terrorism-related SARs generally worked well for them. 15 The officials cited a number of benefits from their participation in the NSI. For example, they reported that having the ability to view ISE-SARs from across the nation has allowed their fusion center to conduct analysis to identify trends of concern and potential threats, an increase in the quality of ISE-SARs has led to better information on potential terrorist threats, 15 Officials from the remaining fusion center said they did not know if the process was working well. An official from the remaining local agency said that the process was not working well and that the agency needed additional information to ensure that all officers know to whom to provide SAR information. Page 12

18 the Functional Standard has led to a common understanding of what terrorism-related ISE-SARs are and has helped protect privacy and civil liberties when sharing ISE-SARs, and officers have a better understanding of suspicious activities that may be indicative of terrorism and the importance of reporting SARs. These views were consistent with national law enforcement organizations views such as those of the International Association of Chiefs of Police and the Major Cities Chiefs Association which have supported the creation of the NSI and its implementation nationwide. Fusion center and local law enforcement agency officials we interviewed generally said that receiving additional feedback on the SARs they submit such as whether the FBI has received the SARs, whether the FBI is investigating the SARs, or what the outcomes of any investigations are would help them better contribute to the NSI. Specifically, executives from all 7 of the fusion centers, analysts from 6 of the 7 fusion centers, and officials from all 5 local law enforcement agencies we interviewed said that receiving feedback on the outcome of SARs they submit was important. They noted, for instance, that feedback reinforces that there is value in reporting, helps to identify what threats exist in their area so that they know what to look for, helps to ensure their SARs are accurate, and encourages officers to continue reporting. 16 The FBI has established a mechanism to provide feedback on ISE-SARs through eguardian, but not all of the stakeholders we interviewed were aware of or had access to this mechanism. Specifically, the FBI uses eguardian to inform stakeholders of whether it has determined through an initial assessment if the ISE-SAR has (1) a potential nexus to terrorism and warrants an investigation, (2) an inconclusive nexus to terrorism, or (3) no nexus to terrorism. FBI officials noted that eguardian also provides the SAR submitter details about when the SAR was received by the FBI; which FBI field office is investigating the SAR; and contact information if the fusion center or state, local, or tribal law enforcement officials want additional information about the SAR. However, not all stakeholders use eguardian and thus would not see this feedback. For example, while all fusion centers participating in the NSI have access to eguardian, they 16 Analysts from the remaining fusion center said that feedback was not that important because their job is just to make sure that the FBI receives the information. Page 13

19 may choose to use the Federated Search tool rather than eguardian to review ISE-SARs and conduct analysis. Local law enforcement agencies are eligible to receive eguardian accounts, but they do not need one to participate in the NSI, as they can provide SAR information to fusion centers or the FBI through other means, such as phone calls or s. Officials from 3 of the 7 fusion centers we interviewed said they did not use eguardian to review ISE-SAR data and officials from 2 of the 5 law enforcement agencies we interviewed said they did not have an eguardian account. Moreover, executives and analysts from 4 of the 7 fusion centers we interviewed were not aware that this feedback existed. To help ensure that NSI participants receive feedback, the PM-ISE recommended in February 2010 that the PMO formalize NSI feedback mechanisms, but the PMO has not yet done so. Specifically, formalized feedback mechanisms were to ensure that at a minimum (1) organizations that receive SARs such as fusion centers and the FBI notify entities that submit SARs when information they provide is designated as a ISE-SAR and shared, and (2) fusion center or FBI personnel notify all NSI participants when further evidence leads them to determine that a ISE-SAR should no longer be designated as being terrorism-related so that the original information does not continue to be used as the basis for analysis or action. 17 Discontinuing use of such SARs, when applicable, may also address concerns related to the protection of privacy and civil liberties. According to PMO officials, formalized feedback mechanisms have not been established because they thought it would be best to let each fusion center determine if and how to elicit and provide feedback. However, as our work indicated, most of the fusion center officials we interviewed had not established such mechanisms and were not aware that the FBI provided feedback. Standards for Internal Control in the Federal Government notes that management should ensure there are adequate means of communicating with, and obtaining information from, external stakeholders that may have 18 a significant impact on achieving program objectives. Implementing formalized NSI feedback mechanisms which could include leveraging 17 PM-ISE, Nationwide Suspicious Activity Reporting Initiative Status Report (Washington D.C.: February 2010). 18 GAO, Internal Control: Standards for Internal Control in the Federal Government, GAO/AIMD (Washington, D.C.: November 1999). Page 14

20 existing mechanisms such as those in eguardian and communicating these mechanisms to stakeholders could help ensure that NSI stakeholders receive the information they need to enforce SAR policies designed to protect privacy considerations, maintain situational awareness, conduct accurate analyses, or motivate personnel to continue to report SARs. Selected Federal Participants Reported the NSI Process Generally Worked Well; Agencies Are Addressing FBI Concerns about Potentially Not Receiving Some Information Officials from five of the seven JTTFs we interviewed, the Federal Protective Service, and the Bureau of Alcohol, Tobacco, Firearms and Explosives said that the NSI process to vet and submit SARs generally worked well for them. 19 For example, officials from four of the JTTFs said that the process had helped them receive more SARs from state and local agencies. Further, none of the JTTF officials believed that the NSI process had led to an overload of nonrelevant information. Officials from the Federal Protective Service and the Bureau of Alcohol, Tobacco, Firearms and Explosives said that the NSI has contributed to an increase in the number of ISE-SARs they submit. However, FBI officials from headquarters and all seven JTTFs we interviewed said that they had concerns that the FBI may not be receiving all available terrorism-related information because some fusion centers may share only ISE-SARs with the FBI that is, SARs that have been determined to have a potential nexus to terrorism consistent with the Functional Standard criteria. They explained that the Functional Standard criteria are not as broad as the FBI s guidelines for investigating 20 terrorism-related information. For example, FBI headquarters officials said that certain terrorism-related activities such as those related to terrorist financing, known terrorism subject location, and past terrorism event information currently are not among the behavior-based criteria in the Functional Standard but would meet the FBI s guidelines. FBI officials 19 Officials from one of the two remaining JTTFs said they did not know if the NSI process was working well, and officials from the other JTTF said the NSI process was not working well because they were not aware of it. We interviewed both line officers and analysts from the Federal Protective Service and the Bureau of Alcohol, Tobacco, Firearms and Explosives. One bureau analyst we met with did not know if the process was working well. One Federal Protective Service line officer said that the process is not working well because law enforcement officials had multiple ways to report SARs. 20 FBI investigative criteria are documented in its Domestic Investigations and Operations Guide. Page 15

21 did not have readily available data on the extent to which SARs that do not meet the Functional Standard criteria are provided to the FBI. Officials from four of the JTTFs we interviewed said that they had coordinated with the fusion centers in their jurisdictions to inform the fusion centers that they should provide all potentially terrorism-related information and not just ISE-SARs that met the Functional Standard. Officials from one JTTF noted that the state s fusion center had provided approximately 270 suspicious incident reports containing potentially terrorism-related information from June 2011 to October 2012, but only about 10 percent of them met the Functional Standard and were entered into Shared Spaces by the fusion center. The extent to which the fusion center officials we interviewed said they provide SARs that did not meet the Functional Standard to the FBI varied. Officials from 3 fusion centers said that they would always or most of the time provide SARs that did not meet the Functional Standard to the FBI; officials from 3 fusion centers said they would provide these SARs some of the time or occasionally based on their professional judgment; and officials from 1 fusion center said that they would never provide these SARs to the FBI, in accordance with the fusion center s privacy policy. PMO and FBI officials said that they were working together to address this issue and develop a new version of the Functional Standard that is intended to harmonize the criteria that the FBI and fusion centers use to share ISE-SARs within the NSI. PMO officials said that the new Functional Standard will also provide guidance on sharing SARs with the FBI that do not meet the Functional Standard to help ensure that the FBI receives all relevant terrorism-related information while still protecting privacy and civil liberties. As of November 2012, PMO officials said that the draft of the new Functional Standard was completed and was awaiting PM-ISE and Information Sharing and Access Interagency Policy Committee (ISA IPC) review and approval. In the meantime, PMO officials said that when fusion center personnel contact them with questions about whether or not to share a SAR, the officials advise the personnel to share the information with the FBI. Officials from FBI headquarters and four JTTFs we interviewed also had concerns that fusion centers may be taking steps to investigate SARs such as interviewing the individuals engaged in suspicious activity or who witnessed suspicious activity before providing the SARs to the FBI Officials from the other three JTTFs we met with did not raise this concern. Page 16

22 Officials from 3 of the 7 fusion centers we interviewed said that they may do investigative work as part of their vetting process. 22 An official from one of these fusion centers explained that conducting some preliminary investigative work as part of the vetting process allows the center to better determine if the incident should be reported as an ISE-SAR. However, according to FBI officials, by conducting independent investigative work, fusion centers could disrupt ongoing FBI investigations or inappropriately dismiss a SAR and not provide relevant terrorismrelated information to the FBI. PMO officials said that they have limited ability to control investigative procedures at state and local agencies, but the PMO s analytical training materials note that the vetting process should not include investigating. Further, PMO officials said that they plan to make a training video available in March 2013 that will further clarify that investigative work is not an appropriate part of vetting procedure. Maintaining Two Systems That Duplicate the Function of Sharing ISE-SARs Introduces Risks That Have Not Been Fully Addressed The NSI leverages the ISE Shared Spaces and the FBI s eguardian system to collect and share ISE-SARs. The two systems have overlapping goals and offer duplicative services, but also have some unique features. The federal government has decided to support both systems to meet users differing needs. However, maintaining two systems introduces the risk that the FBI may not be able to review all potential terrorist threats because many fusion centers have decided not to automatically share all of their ISE-SARs with eguardian, and the interconnection between the systems has not been fully tested. The PMO and FBI have taken steps to mitigate these risks, but they have not been fully addressed. 22 The fusion centers that said they conducted investigative work were not always in the same jurisdictions as the JTTFs that raised concerns about such actions. Page 17

GAO United States Government Accountability Office Report to Congressional Requesters April 2013 INFORMATION SHARING Agencies Could Better Coordinate to Reduce Overlap in Field-Based Activities GAO-13-471

THE WHITE HOUSE Office of the Press Secretary For Immediate Release February 12, 2013 February 12, 2013 PRESIDENTIAL POLICY DIRECTIVE/PPD-21 SUBJECT: Critical Infrastructure Security and Resilience The

Acknowledgements The Suspicious Activity Report (SAR) Support and Implementation Project appreciates the support and guidance of the project sponsors: the Bureau of Justice Assistance (BJA), U.S. Department

GAO United States Government Accountability Office Report to Congressional Requesters March 2010 CYBERSECURITY Progress Made but Challenges Remain in Defining and Coordinating the Comprehensive National

GAO United States General Accounting Office Testimony Before the Subcommittee on Technology, Terrorism and Government Information, Committee on the Judiciary, U.S. Senate For Release on Delivery Expected

A BRIEF HISTORY OF THE INFORMATION SHARING ENVIRONMENT (ISE) As the nation enters the second decade following the terrorist attacks of September 11, 2001, our information sharing challenges are maturing.

United States Government Accountability Office Report to the Committee on Homeland Security and Governmental Affairs, U.S. Senate May 2015 INFORMATION MANAGEMENT Additional Actions Are Needed to Meet Requirements

Performance Measures Definitions Guide Measuring the Performance of the National Network of Fusion Centers April 2014 Version 1.0 Performance Measures Definitions Guide Measuring the Performance of the

THE CHIEF PRIVACY AND CIVIL LIBERTIES OFFICER AND THE OFFICE OF PRIVACY AND CIVIL LIBERTIES ANNUAL PRIVACY REPORT JANUARY 1, 2012-SEPTEMBER 30, 2013 United States Department of Justice Message from the

Department of Homeland Security Office of Inspector General DHS' Role in State and Local Fusion Centers Is Evolving OIG-09-12 December 2008 Office of Inspector General U.S. Department of Homeland Security

Acknowledgements The Suspicious Activity Report (SAR) Support and Implementation Project appreciates the support and guidance of the project sponsors: the Bureau of Justice Assistance (BJA), U.S. Department

THE FEDERAL BUREAU OF INVESTIGATION S WEAPONS OF MASS DESTRUCTION COORDINATOR PROGRAM U.S. Department of Justice Office of the Inspector General Audit Division Audit Report 09-36 September 2009 THE FEDERAL

The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we

United States Government Accountability Office Report to Congressional Requesters February 2015 CRIMINAL HISTORY RECORDS Additional Actions Could Enhance the Completeness of Records Used for Employment-Related

United States Government Accountability Office Report to Congressional Requesters September 2014 CRITICAL INFRASTRUCTURE PROTECTION DHS Action Needed to Enhance Integration and Coordination of Vulnerability

Securing Homeland the Homeland Through Through Information Information Sharing Sharing and Collaboration and Collaboration Department of Homeland Security April 18, 2008 for the Department of Introduction

NATIONAL STRATEGY FOR INFORMATION SHARING AND SAFEGUARDING DECEMBER 2012 THE WHITE HOUSE WASHINGTON As President, I have no greater responsibility than ensuring the safety and security of the United States

Evaluation and Inspection Division Federal Bureau of Investigation s Integrity and Compliance Program November 2011 I-2012-001 EXECUTIVE DIGEST In June 2007, the Federal Bureau of Investigation (FBI) established

DEPARTMENT OF JUSTICE United States Department of Justice Common Competencies for State, Local, and Tribal Intelligence Analysts June 2010 A Companion Document to the Minimum Criminal Intelligence Training

2014 2017 National Strategy for the National Network of Fusion Centers July 2014 The development of the 2014 2017 National Strategy for the National Network of Fusion Centers was a collaborative effort,

Preventing and Defending Against Cyber Attacks November 2010 The Nation s first ever Quadrennial Homeland Security Review (QHSR), delivered to Congress in February 2010, identified safeguarding and securing

GAO For Release on Delivery Expected at 3:00 p.m. Tuesday, April 24, 2001 United States General Accounting Office Testimony Before the Subcommittee on Economic Development, Public Buildings, and Emergency

JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement

for the Conversion to 10-Fingerprint Collection for the United States Visitor and Immigrant Status Indicator Technology Program (US-VISIT) November 15, 2007 Contact Point Barbara M. Harrison, Acting Privacy

SENTINEL AUDIT V: STATUS OF THE FEDERAL BUREAU OF INVESTIGATION S CASE MANAGEMENT SYSTEM U.S. Department of Justice Office of the Inspector General Audit Division Audit Report 10-03 November 2009 Redacted

United States Government Accountability Office Report to Congressional Addressees March 2014 COUNTERING OVERSEAS THREATS Gaps in State Department Management of Security Training May Increase Risk to U.S.

GAO United States Government Accountability Office Report to Congressional Committees October 2007 HOMELAND SECURITY Federal Efforts Are Helping to Alleviate Some Challenges Encountered by State and Local

Department of Justice Policy Guidance 1 Domestic Use of Unmanned Aircraft Systems (UAS) INTRODUCTION The law enforcement agencies of the Department of Justice ("the Department") work diligently to protect

Fusion Center Guidelines Developing and Sharing Information and Intelligence in a New Era Guidelines for Establishing and Operating Fusion Centers at the Local, State, and Federal Levels Law Enforcement

JOINT STATEMENT OF ROBERT S. LITT GENERAL COUNSEL OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE STUART J. EVANS DEPUTY ASSISTANT ATTORNEY GENERAL FOR INTELLIGENCE NATIONAL SECURITY DIVISION DEPARTMENT

Fusion Center Technology Resources Road Map: Elements of an Enterprise for State and Major Urban Area Fusion Centers General Overview The function of a fusion center is to provide a collection, analysis,

The U.S. Department of Homeland Security s Response to Senator Franken s July 1, 2015 letter 1. In what ways do private entities currently share with, and receive from, the government cyber threat information?

2013 National Network of Fusion Centers Final Report May 2012 wide ion SA at R N June 2014 NSI In i t i at i v e B / 2013 National Network of Fusion Centers Final Report 2013 National Network of Fusion

GAO For Release on Delivery Expected at 2:00 p.m. Thursday, April 6, 2000 United States General Accounting Office Testimony Before the Subcommittee on Oversight, Investigations, and Emergency Management,

The structure and organization of the Fusion Center takes its direction from four key documents, they are: Northern Operational Office MISSION We incorporate information and utilize relationships formed

United States Government Accountability Office Report to Congressional Committees April 2015 SMALL BUSINESS RESEARCH PROGRAMS Challenges Remain in Meeting Spending and Reporting Requirements GAO-15-358

This document is scheduled to be published in the Federal Register on 02/11/2016 and available online at http://federalregister.gov/a/2016-02788, and on FDsys.gov Billing Code: 5001-06 DEPARTMENT OF DEFENSE

GAO United States General Accounting Office Testimony Before the Subcommittee on National Security, Veterans Affairs, and International Relations, Committee on Government Reform, House of Representatives

This article was published in the May 2008 issue of The Privacy Advisor. The Privacy Advisor is a membership benefit of the International Association of Privacy Professionals (IAPP). If you are interested

GAO United States Government Accountability Office Report to Congressional Requesters February 2006 FEDERAL CONTACT CENTERS Mechanism for Sharing Metrics and Oversight Practices along with Improved Data

Order Code RS22121 Updated November 23, 2007 The Interagency Security Committee and Security Standards for Federal Buildings Summary Stephanie Smith Analyst in American National Government Government and

GAO United States General Accounting Office Report to the Chairman, Committee on Government Reform, House of Representatives February 2004 CONTINUITY OF OPERATIONS Improved Planning Needed to Ensure Delivery

CFIUS and Network Security Agreements 1 Mark E. Plotkin 2 David M. Marchick 3 David N. Fagan 4 This memorandum provides an overview of the principal U.S. government national security considerations and

TEXAS HOMELAND SECURITY STRATEGIC PLAN 2015-2020: PRIORITY ACTIONS INTRODUCTION The purpose of this document is to list the aligned with each in the Texas Homeland Security Strategic Plan 2015-2020 (THSSP).

This document is scheduled to be published in the Federal Register on 01/27/2016 and available online at http://federalregister.gov/a/2016-01517, and on FDsys.gov Billing Code: 5001-06 DEPARTMENT OF DEFENSE

TITLE 28 - JUDICIARY AND JUDICIAL PROCEDURE PART II - DEPARTMENT OF JUSTICE CHAPTER 33 - FEDERAL BUREAU OF INVESTIGATION 532. Director of the Federal Bureau of Investigation The Attorney General may appoint

GAO United States Government Accountability Office Report to Congressional Requesters September 2011 QUADRENNIAL HOMELAND SECURITY REVIEW Enhanced Stakeholder Consultation and Use of Risk Information Could